Hello,
I noticed that the PGP key used for signing the Debian release packages
recently expired. I went to download the new one and noticed that nginx.org
wasn't using HTTPS by default. Manually entering a https URL works as
expected, although some pages have hard coded http links in them.
Is there a reason that the website isn't using HTTPS and STS / HPKP? It
would help mitigate potential MITM attacks especially on precompiled
binaries and PGP key downloads.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20160819/d0ac6ef5/attachment.html>